This year on May 12, the Biden administration passed an Executive Order on improving cybersecurity in the US, with the aim of galvanising public and private efforts to help detect, deter, protect against, and respond to sophisticated cyberattacks.
Prompted by recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident, the EO seeks to improve the nation’s cybersecurity and protect federal government networks.
In this article, we take a look at what the order involves, who is affected and what it means for medical device cybersecurity.
What does the Executive Order involve?
The Executive Order significantly contributes towards the modernisation of cybersecurity defences by protecting federal networks, improving cyber issue information-sharing between the US government and the private sector, and strengthening the US’s ability to respond to incidents when they occur.
The EO seeks to:
- Remove barriers to threat information-sharing between government and the private sector
- Modernise and implement stronger cybersecurity standards in the federal government
- Improve software supply chain security
- Establish a cybersecurity safety review board
- Create a standard playbook for responding to cyber incidents
- Improve detection of cybersecurity incidents on federal government networks
- Improve investigative and remediation capabilities
Who is affected?
Federal executive agencies will need to modernise their technology environment and security practices.
Contract terms for federal contractors, including commercial-off-the-shelf (COTS) software providers, will likely start to include new cybersecurity standards. And contractors will be required to share more information on any cyber incidents that occur.
For the private sector, software supply chain security and transparency will be emphasised through proposed consumer security labelling on software and internet of things (IoT) devices – so companies manufacturing these kinds of devices should prepare themselves for adapting to new security requirements and assessment standards.
The Executive Order outlines an array of cybersecurity objectives for the government to meet within a short timeline. As such, it is likely that rollout will first affect federal contractors, before filtering through to other industries as new standards are set and practices are adopted.
What are the positives?
The EO calls for making federal government systems stronger and safer, so they are harder to break into – namely by pushing action to modernise federal government cybersecurity and using the government´s substantial purchasing power to impel the market to build security into all software from the ground up.
It also sets a goal for more agile and effective federal government responses by requiring IT providers to report cyber incidents, and by removing contractual barriers for them to share information with government entities.
The EO is also a step in the right direction for dealing with nation-state supply chain attacks which answers calls from the industry for a more holistic and organised approach to cyberthreats.
What are its limitations?
When it comes to cybersecurity for medical devices the executive order is not “new news”. The provisions for enhancing supply chain security in the order are similar to some of the efforts already underway by the FDA to improve the cybersecurity of medical devices.
The FDA notes that several of its existing guidance documents mirror various proposals outlined in the EO. They state that their practices and efforts currently underway for operational technology cybersecurity (technology that monitors and controls specific devices), already encompass “the greater medical device security ecosystem” – for example:
- Their draft updated cybersecurity guidance for the premarket of medical devices which contains a proposal for a “cybersecurity bill of materials” that lists components susceptible to vulnerabilities
- Their Content of Premarket Submissions for Management of Cybersecurity in Medical Devices guidance which provides recommendations regarding cybersecurity device design, labelling, and documentation for premarket submissions for devices with a cybersecurity risk
- Their Postmarket Management of Cybersecurity in Medical Devices guidance which provides recommendations for managing postmarket cybersecurity vulnerabilities for marketed medical devices
Furthermore, on May 26, 2021 the FDA’s Centre for Devices and Radiological Health (CDRH) provided a response to the call from the National Institute of Standards and Technology (NIST) for position papers to fulfil Biden’s EO. The FDA’s response highlights existing FDA guidance documents and international standards on cybersecurity related to premarket reviews and postmarket surveillance.
Arguably, the Executive Order has come too late. Some industry voices have suggested that if organisations were not already undertaking the suggested action outlined in the EO, it´s because they have specifically chosen not to. Given that software supply chain security is an essential part of managing risk to patients, the question is raised as to whether it’s time to transition from a “voluntary” approach to regulatory mandate.
What needs to happen next?
By producing a cybersecurity bill of materials, the FDA has proposed that medical device manufacturers should take action to improve the cybersecurity of their products. But these kinds of provisions are contained in only nonbinding voluntary guidance and draft guidance, rather than in regulatory mandates.
It could be argued that there should be a legislative move to expand the FDA´s statutory authority to mandate that medical device manufacturers take specific action to improve the cybersecurity of their products, both pre and postmarket.
Currently, no such requirement that expressly compels medical device manufacturers to address cybersecurity exists, however the FDA´s Medical Device Safety Action Plan of 2018 does outline plans “to consider potential new premarket statutory authorities” who would require firms to take steps on medical device security, in an attempt to improve proactive responses to cybersecurity vulnerabilities.
The FDA seeks to “require” that:
- Medical devices possess the capability to be updated and patched in a timely manner;
- Premarket submissions include evidence demonstrating the capability for device updating and patching;
- A phased-in approach to a medical device cybersecurity bill of materials is taken, including a list of commercial, open-source and off-the-shelf software and hardware components that are or could become vulnerable;
- Medical device firms publicly disclose when they learn of a cybersecurity vulnerability to inform users, providing direction on how to reduce their risk
While progress has been made under current processes, arguably the existing recommendations fail to match the current and potential levels of cyber threat posed. As such, it’s time for device manufacturers to be required to include cybersecurity as a fundamental component during the development of software as a medical device.